OWASP Data Breach Due to Wiki Web Server Misconfiguration

The Open Web Application Security Project (OWASP) Foundation disclosed a significant data breach. The breach, which was discovered in late February 2024, was caused by a misconfiguration of the foundation’s old Wiki web server.

This incident has led to the exposure of decade-old member resumes containing sensitive personal information.

OWASP, known for its commitment to improving software security, reported that the breach specifically affected members who joined the organization from 2006 to around 2014.

During this period, members were required to submit resumes as part of the membership process to demonstrate their connection to the OWASP community.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The resumes included names, email addresses, phone numbers, physical addresses, and other personally identifiable information (PII).

Misconfiguration Leads to Data leak

Upon discovering the misconfiguration following several support requests, OWASP took immediate action to address the breach.

The foundation has disabled directory browsing and thoroughly reviewed the web server and Media Wiki configuration to identify and rectify other potential security issues.

To prevent further unauthorized access, all resumes have been removed from the wiki site, and the Cloudflare cache has been purged.

Additionally, OWASP has reached out to the Web Archive with a request to remove the exposed resume information, thereby eliminating any lingering traces of the breach online.

The foundation has also initiated contact with affected individuals despite the challenges posed by the outdated nature of the data and the fact that many of the individuals are no longer associated with OWASP.

The OWASP Foundation has recognized the breach’s significance, especially given its role in promoting cybersecurity awareness and best practices.

In an official statement, the foundation apologized to those impacted by the incident and reassured the public of its commitment to preventing such breaches in the future.

As part of this commitment, OWASP is reviewing its data retention policies and plans to implement additional security measures to enhance the protection of member data.

The incident highlights the importance of robust security configurations and the potential consequences of any oversights in this area.

OWASP’s transparent handling of the breach and its proactive steps to mitigate the impact exemplify the organization’s dedication to upholding the highest standards of data security and privacy.

Members who suspect their data may have been compromised are advised to remain vigilant against unsolicited communications and to take the usual precautions when responding to unexpected emails, mail, or phone calls.

OWASP assures that no immediate action is required if the information at risk is outdated. However, the foundation encourages those with current information at risk to be particularly cautious.

The OWASP Foundation’s full data breach notification can be found on their official blog, providing further details on the incident and the measures taken in response.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.